[apparmor] /.load missing
John Johansen
john.johansen at canonical.com
Tue Nov 5 12:10:35 UTC 2019
On 11/5/19 3:59 AM, Lioh Moeller wrote:
> Hi again.
>
>>> I am trying to run AppArmor on my system. I have compiled AppArmor support into the kernel but while trying to start the service I got an error message because /sys/kernel/security/.load is missing:
>>>
>>> https://termbin.com/8gsj
>>>
>>
>> /sys/kernel/security/.load is the wrong location
>>
>> if securityfs is mounted at /sys/kernel/security then apparmor will create a directory within it and within the apparmor directory will be the .load file
>>
>> ie. the location should be
>>
>> /sys/kernel/security/apparmor/.load
>
> Thanks for the clarification.
>
>> you can tell if apparmor has successfully initialized by the following messages showing up in dmesg
>>
>> AppArmor initialized
>
> It does not show up on my machine,
>
>
>> which will show up if the LSM module successfully registered, if not present ensure apparmor is configed in the kernel and that it is being used on boot (the config or security= or lsm= depending on your kernel version)
>>
>> and
>>
>> AppArmor Filesystem Enabled
>>
>> which will show up if apparmor can successfully setup its filesystem interfaces
>
> I have set
>
> CONFIG_LSM="yama,loadpin,safesetid,integrity"
>
> Do I have to add apparmor to the LSM list?
yes, that is the list of lsms that will be enabled at boot, you can override in grub with the kernel parameter
lsm=yama,loadpin,safesetid,integrity,apparmor
>
> CONFIG_SECURITY_APPARMOR=y
> CONFIG_SECURITY_APPARMOR_HASH=y
> CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
>
> Currerntly CONFIG_DEFAULT_SECURITY_DAC is set. Should I switch that to:
>
> CONFIG_DEFAULT_SECURITY_APPARMOR=y
>
CONFIG_DEFAULT_SECURITY is an old config option from before the newer lsm stacking patches landed in 5.1
eg for a 5.1 kernel the only config entries that have apparmor are
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
CONFIG_SECURITY_APPARMOR_DEBUG=y
CONFIG_SECURITY_APPARMOR_DEBUG_ASSERTS=y
# CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES is not set
CONFIG_LSM="yama,loadpin,safesetid,integrity,apparmor"
on older kernels I have
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
# CONFIG_SECURITY_APPARMOR_STATS is not set
CONFIG_SECURITY_APPARMOR_UNCONFINED_INIT=y
CONFIG_SECURITY_APPARMOR_HASH=y
CONFIG_SECURITY_APPARMOR_HASH_DEFAULT=y
CONFIG_DEFAULT_SECURITY_APPARMOR=y
CONFIG_DEFAULT_SECURITY="apparmor"
> Greetings
>
> Lioh
>
>
More information about the AppArmor
mailing list